CH30 Policies and Procedures Flashcards
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?
a. Data custodian
b. Data steward
c. Data Owner
d. Privacy officer
c. Data Owner
A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations.
Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned within dealing with credit cards?
a. PHI
b. PCI-DSS
c. GDPR
d. PII
b. PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to host your data securely and follow PCI compliance requirements.
Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union?
a. PHI
b. PCI
c. GDPR
d. PII
c. GDPR
GDPR (General Data Protection Regulation) is a regulation that applies to companies that do business in the European Union. The four forms of regulated data covered by the CompTIA A+ (220-1002) exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).
Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database?
a. Anonymization
b. Tokenization
c. Data minimization
d. Data masking
b. Tokenization
OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.
What information should be recorded on a chain of custody form during a forensic investigation?
a. Any individual who worked with evidence during the investigation
b. The list of former owners/operators of the workstation involved in the investigation
c. The list of individuals who made contact with files leading to the investigation
d. The law enforcement agent who was first on the scene
a. Any individual who worked with evidence during the investigation
OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?
a. FERPA
b. GLBA
c. SOX
d. HIPAA
b. GLBA
OBJ-5.2: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected?
a. COSO
b. GLBA
c. SOX
d. HIPAA
d. HIPAA
OBJ-5.2: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices’ data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives?
a. Perform a cryptographic erase (CE) on the storage devices
b. Conduct zero-fill on the storage devices
c. Use a secure erase (SE) utility on the storage devices
d. Incinerate and replace the storage devices
a. Perform a cryptographic erase (CE) on the storage devices
OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?
a. Data Controller
b. Data owner
c. Data steward
d. Data protection officer
d. Data protection officer
OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?
a. Memorandum of understanding
b. Rules of engagement
c. Service level agreement
d. Acceptable user policy
b. Rules of engagement
OBJ-1.8: While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company’s owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer’s hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend?
a. Purging
b. Degaussing
c. Wiping
d. Shredding
c. Wiping
OBJ-2.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device’s internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.
Which of the following categories would contain information about a French citizen’s race or ethnic origin?
a. SPI
b. DLP
c. PII
d. PHI
a. SPI
OBJ-5.5: According to the GDPR, information about an individual’s race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject’s opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?
a. Data minimization
b. Anonymization
c. Tokenization
d. Data masking
a. Data minimization
OBJ-5.5: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field’s contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?
a. Clear
b. Degauss
c. Purge
d. Destory
a. Clear
OBJ-2.7: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?
a. utilize formal methods of verification against the application processing the PHI
b. Use DevSecOps to build the application that process the PHI
c. Utilize a SaaS model to process the PHI data instead of an on-premise solution
d. Conduct tokenization of the PHI data before ingesting it into the big data application
d. Conduct tokenization of the PHI data before ingesting it into the big data application
OBJ-3.2: The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed. While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam. Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system’s inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects. The option provided that recommends utilizing a SaaS model is not realistic. There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted in the cloud. The idea of migrating to a SaaS is a distractor on this exam, which is trying to get you to think about shifting the responsibility for the PHI to the service provider and away from the university, but due to the research nature of the project, this is unlikely to be a valid option in the real world and may not be legally allowed due to the PHI being processed.
